Contents of the Roots

As per Roots/NewRootsTaskForce we need to create a set of new roots. Here are notes on the Contents of each root. See Roots/ContentsDiscussion for the evolving debate on all questions (which has the vast bulk of what was discussed to create this page. See Roots/Structure for the hierarchy of all roots.

Once the details are debated and agreed from Roots/ContentsDiscussion, place them in the below. If you have an uncertainty, read the debate over at Roots/ContentsDiscussion, open a section there and notify the maillist or other interested persons.

Layout

Technical Layout

Field	Name	Old	2008	Next	comments
Version		version 3			Required, No problems
serialNumber		0,1	2,3,4 (,5,6)	10 (11,12,13,14)	Needs to be unique within space of DN (somewhat undefined, probably CN). is this right? same as SKID?
subjectKeyIdentifier		"hash" == sha1(own public key)			non-critical extension, obligatory. See rfc5280 for format & contents.
authorityKeyIdentifier		"hash" == sha1(signing* public key), or the signing key's sKID.*			non-critical extension, Obligatory. See rfc5280 for format & contents.
Cryptographic algorithms
PK Type		MD5 with RSA Encryption ( 1 2 840 113549 1 1 4 )	SHA-1 with RSA Encryption ( 1 2 840 113549 1 1 5 )	evaluate SHA-256 (check Apache)	Recently issued roots expiring out to 2040 use SHA-1+RSA. Windows-XP does not support (roots with) SHA2 until SP3
Size		4096 bits	4096 bits	4096 bits	good for 30 years.
Format		PKCS1			standard.
Hash		MD5	SHA1	SHA1, re-evaluate SHA-256 for subroots	SHA1 is fine for the root, see Roots/ContentsDiscussion for more.
cA	Is a Certification Authority	cA=true			Critical Basic Constraints extension.
keyUsage		keyCertSign and cRLSign only			Critical Extension, obligatory for roots. bits 5, 6 to be set. EV-G-AppB concurs.

Business Layout

Field	Name	Current	2008 Gen	Next Gen	comments
O	Organisation	Root CA	CAcert.org - Community Certification Authority		is standard layout, see below
OU	Organisational Unit	http://www.cacert.org/	Permission to USE at http://go.cacert.org/use	need to re-think this one	OU is somewhat free for a business-side message.
CN	Common Name	CA Cert Signing Authority	CAcert.org		current favourite, could change
Extensions		(mark which critical)
Certificate Policies		http://www.cacert.org/index.php?id=10	http://go.cacert.org/use	ditto	this is the "preferred" field for policies. "use" document is the first and most important. Not critical.
Subject:serialNumber (OID: 2.5.4.5)		none	none	(Association Registration Number) INC9880170	Mozilla discussion on Registration Numbers (needed for EV but could be possible to use ?????). Not critical.

Individual Layout

Field	Key	Content	comments
	Root	10	(0,1 are old roots, 2,3,4 are 2008 roots)
Serial number	Member	11	"Member", formerly Class 1
	Assured	12	"Assured Member", formerly Class 3, approximately Class 2
	Assurer	13	"Assurer", approximately Class 3
	Assurer	14	"Assured Organisation", approximately Class 3

	root	CAcert.org - Community Certification Authority
O	Member	CAcert.org - Community Certification Authority - Member
	Assured	CAcert.org - Community Certification Authority - Assured Member
	Assurer	CAcert.org - Community Certification Authority - Assurer	strawman
	Organisation	CAcert.org - Community Certification Authority - Assured Organisation	strawman

	Root	30 years	CPS6.3.2 specifies 30 years (2008 root by Y2038 bug so has 29.5 years)
Validity	Member	10 years	CPS6.3.2 specifies 10 years
	Assured	10 years
	Assurer	10 years
	Organisation	10 years

In above, I've added the ideas for an Assurer and Organisation subroots. However these are strawmen at this stage.

Deprecated

Following should not be in the root nor subroots:

pathLenConstraint (Basic Constraints extension) Meaning: Maximum number of intermediate CAs. should be absent therefore unlimited. EV-G-AppB concurs.
CRL and OCSP information. Should be in the End-entity certificates, not roots. See Roots/ContentsDiscussion.
email address (e.g., of support) should not be in. Otherwise MUAs tend to send encrypted mail to it.